Security Without Borders

"Mobile phones and Viagra have a lot in common," quipped Jason Rouse, Principle Consultant at Cigital at the start of his keynote speech. "People don't know how to use them, but they like the results". The rest of Rouse's speech highlighted the multiple vulnerabilities that mobile devices may succumb to. The mobile environment's mix of hardware, software, and architectures can make security exceptionally difficult. At Cigital, Rouse works to identify risks in mobile applications. "My job is to break into banks, break into phones, and break into software... and it's a lot of fun," he said.

Rouse was addressing 150+ cyber-security professionals from colleges and universities across Virginia at the 2011 Virginia Alliance for Secure Computing and Networking (VA SCAN) Conference hosted by William & Mary Information Technology on October 6-7. The conference, themed "Security Without Borders", emphasized the challenges of securing mobile devices, particularly on college campuses. A recent article in the Chronicle for Higher Education underscores this concern.

What is VA SCAN?

VA SCAN's purpose is to strengthen information technology security programs within the Commonwealth of Virginia. It brings together Virginia higher education security practitioners, who develop and maintain security programs, as well as nationally recognized researchers in the field. The guiding principle: lasting improvements are made by "educating and guiding management and staff teams in defining and carrying out their own security strategies and ongoing security operations."

VA SCAN is a partnership of security professionals from George Mason University, James Madison University, the University of Virginia, Virginia Tech, and the Virginia Commonwealth University. Every year a conference is held by one of the partner universities. Even though William & Mary was only an advisor institution, IT's Pete Kellogg offered to host the 2011 conference. "We volunteered to host this year to support the cause," he stated. "Information security has to be a top priority for a campus with such a robust technology infrastructure." William & Mary has recently accepted a partnership in the alliance.

Sharing expertise

Thomas Jefferson (aka Bill Barker) opened the conference by sharing his insights on science and technology in the 18th century. Mr. Jefferson emphasized the importance of the free association of ideas especially in the fields of math and science. Providing historical context, he explained how the foundation laid for scientific progress in his era has resulted in the technological advances of current era.

A multitude of speaker sessions followed, sharing lessons learned, best practices, emerging technologies, and innovations in information security. One session that particularly peaked interest was by Dr. Roy Whitney of the Jefferson Laboratory. He gave a detailed forensic account of the recent cyber-attack the lab experienced. After the talk, a conference attendee leaned over to me and said, "I'm glad I've never had to deal with that - but I'll be better prepared if I ever do!"

In another session, W&M's Matt Keel and Norman Elton shared their knowledge about using open source tools to block traffic to malicious networks and domains. Apparently there was a lot of interest in the topic; the presentation room was packed. However, at the end of the session, Elton asked how many other institutions were using the techniques discussed, to which only one person raised their hand. "I was surprised, but it makes sense." Elton stated. "William & Mary is the perfect size to experiment with open source technology. We are small enough that it is manageable, but big enough to have the resources to learn and deploy new technologies. Sharing our experiences might encourage other schools to follow our lead."

W&M's Chief Information Officer, Courtney Carpenter, and Director of Academic Information Services, Gene Roche, participated in a panel discussion. They considered multiple viewpoints, such as that of campus leaders, faculty members, auditors, and IT technicians, and used that perspective to examine university information security practices. One discussion topic centered on password changes. Is it better to have a short password that is changed frequently or a long password that is static? Not all constituencies agree.

The second day of the conference brought a daylong SANS training class. Essentially, the course taught a method for administrators to hack into their own systems. When questioned why administrators would want to hack themselves, Phil Fenstermacher of Swem Library responded, "It's better for us to find our own weaknesses before others do it for us." Indeed, presentations throughout the 2011 VA SCAN Conference highlighted the need to be proactive, especially when it comes to information security.